Guy Harris wrote:
>
> The way display filter primitive expressions work is:
> ...
> a primitive expression with a comparison operator evaluates to
> "true" if an instance of that field appears in the protocol tree
> and the comparison operation, with the value supplied and the
> value for that instance, evaluates to "true", and "false"
> otherwise.
I think to make people happy, the lookup for the field should possibly
return a value of FT_UNDEF (or equivalent) when the field does not
exist... And then call the comparison operator for FT_UNDEF... which
basically returns false for everything but != (or other relations that
are chosen to return true... such as !> or !>=, if the existed...)
The only problem with that would be if somebody did something like
"tcp.src != tcp.dst" and a malformed frame is discovered with tcp.src
defined and not tcp.dst... then tcp.src might try and use FT_UNDEF as
FT_INT (or whatever tcp.src is...).
I can imagine a couple ways to solve that. Either the relational
operators check for FT_UNDEF if they would cause trouble...
or (the case I like better)
the code to perform the comparison of values checks to see if the right
hand side is FT_UNDEF and the left-hand side isn't FT_UNDEF... and in
that rare case, call FT_UNDEF's operator (< become >, == stays ==,
etc...)
FT_UNDEF's relational operators might need to be slightly more complex
than I quoeted earlier.
== and similar should probably be {return false;}
!= should probably be {return right_operand_type != FT_UNDEF}
